LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-05-2018, 07:11 AM   #1
Zyblin
Member
 
Registered: Oct 2013
Distribution: Linux Mint 18.3 (64)
Posts: 185

Rep: Reputation: 20
Post Spectre and Meltdown: Explanation, Info, What's being done, What can be done


https://thehackernews.com/2018/01/in...curity+Blog%29

Quote:
UPDATE: Researchers have finally disclosed complete technical details of two kernel side-channel attacks, Meltdown and Spectre—which affect not only Intel but also systems and devices running AMD, ARM processors—allowing attackers to steal sensitive data from the system memory.
---------------------------------------------------
Quote:
The first week of the new year has not yet been completed, and very soon a massive vulnerability is going to hit hundreds of millions of Windows, Linux, and Mac users worldwide.

According to a blog post published yesterday, the core team of Linux kernel development has prepared a critical kernel update without releasing much information about the vulnerability.

Multiple researchers on Twitter confirmed that Intel processors (x86-64) have a severe hardware-level issue that could allow attackers to access protected kernel memory, which primarily includes information like passwords, login keys, and files cached from disk.

The security patch implements kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space and keeps it protected and inaccessible from running programs and userspace, which requires an update at the operating system level.

"The purpose of the series is conceptually simple: to prevent a variety of attacks by unmapping as much of the Linux kernel from the process page table while the process is running in user space, greatly hindering attempts to identify kernel virtual address ranges from unprivileged userspace code," writes Python Sweetness.
It is noteworthy that installing the update will hit your system speed negatively and could bring down CPUs performance by 5 percent to 30 percent, "depending on the task and processor model." "With the page table splitting patches merged, it becomes necessary for the kernel to flush these caches every time the kernel begins executing, and every time user code resumes executing." Much details of the flaw have been kept under wraps for now, but considering its secrecy, some researchers have also speculated that a Javascript program running in a web browser can recover sensitive kernel-protected data.

AMD processors are not affected by the vulnerability due to security protections that the company has in place, said Tom Lendacky, a member of the Linux OS group at AMD.

"AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against," the company said. "The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."

The Linux patch that is being released for ALL x86 processors also includes AMD processors, which has also been considered insecure by the Linux mainline kernel, but AMD recommends specifically not to enable the patch for Linux.


Microsoft is likely to fix the issue for its Windows operating system in an upcoming Patch Tuesday, and Apple is also likely working on a patch to address the vulnerability.
https://thehackernews.com/2018/01/me...erability.html


Quote:
Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulnerable to the issues.

Disclosed today by Google Project Zero, the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.


These hardware vulnerabilities have been categorized into two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal sensitive data which is currently processed on the computer.

Both attacks take advantage of a feature in chips known as "speculative execution," a technique used by most modern CPUs to optimize performance.

"In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions," Project Zero says.
Therefore, it is possible for such speculative execution to have "side effects which are not restored when the CPU state is unwound and can lead to information disclosure," which can be accessed using side-channel attacks.


Meltdown Attack

The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.
“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.”

Meltdown uses speculative execution to break the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel. “Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.” Nearly all desktop, laptop, and cloud computers affected by Meltdown.


Spectre Attack

exploit-for-spectre-vulnerability
The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.

Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.

Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” the paper explains. “KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”

According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.


What You Should Do:

Mitigations And Patches

Many vendors have security patches available for one or both of these attacks.

Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018

MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.

Linux— Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.

Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.



Mitigations for Chrome Users - Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.

Here's how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
*Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
*Look for Strict Site Isolation, then click the box labeled Enable.
*Once done, hit Relaunch Now to relaunch your Chrome browser.

There is no single fix for both the attacks since each requires protection independently.



EDIT:

To clarify a little with AMD, etc.

https://hosted.ap.org/demo/article/8...-security-flaw

Quote:
AMD said there is "near zero risk" to its own processors, either because its chips are designed differently, or security fixes for Microsoft Windows and other operating systems will take care of the problem. ARM Holdings said it's working with Intel, AMD and operating system vendors to address the problem. The ARM design is also used in Apple's mobile chips. Apple said late Thursday that all of its devices are affected, but it's already made fixes to help defend against Meltdown in laptops and phones and soon plans to release mitigations in the Safari browser to help defend against Spectre.
Quote:
AMD said there is "near zero risk" to its own processors, either because its chips are designed differently (MELTDOWN,) or security fixes for Microsoft Windows and other operating systems will take care of the problem (SPECTRE.)



EDIT 2

Mozilla Firefox

https://blog.mozilla.org/security/20...timing-attack/

Quote:
Mitigations landing for new class of timing attack

Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes. Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.

Specifically, in all release channels, starting with 57:

The resolution of performance.now() will be reduced to 20µs.
The SharedArrayBuffer feature is being disabled by default.

Furthermore, other timing sources and time-fuzzing techniques are being worked on.

In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers. This project requires time to understand, implement and test, but might allow us to consider reenabling SharedArrayBuffer and the other high-resolution timers as these features provide important capabilities to the Web platform.

Update [January 4, 2018]: We have released Firefox 57.0.4 which includes the two timing based mitigations described above.
Edit 3

More browser Information on potential attacks.

http://www.tomshardware.com/news/mel...ipt,36221.html

Quote:
Two CPU architecture flaws called Meltdown and Spectre were recently unveiled to affect primarily Intel, but also ARM and AMD (Spectre-only). Microsoft, Mozilla, and Google have now come out and said that attackers could exploit these flaws through your browser. However, temporary fixes are coming soon.


Microsoft Edge

A feature called “SharedArrayBuffer” was recently introduced in the Windows 10 Fall Creators Update. This was a JavaScript performance optimization for the Edge browser that allowed different execution threads to share the same data instead of passing the data from one thread to another each time one of them needed it.

Microsoft said it will disable this feature in order to “substantially increase the difficulty of successfully inferring the content of the CPU cache from a browser process.” This will decrease the resolution of the performance.now() timer from 5 microseconds (µs) to 20µs. The variable jitter will see an additional 20µs increase.

The company added that it will continue to investigate the two CPU flaws and will also take another look at how it can implement the SharedArrayBuffer feature in a more secure way in the future.


Mozilla Firefox

Mozilla said that its experiments have proven that attackers could exploit the recently discovered CPU flaws through the browser and read user’s private information.

According to Mozilla, the new flaws allow an attacker to use precise timers in the browser to do side-channel attacks when the cryptographic algorithms are executed (also called timing attacks). Therefore, the company is taking steps to disable all the precise timers in its browser, as well as the SharedArrayBuffer feature, that Firefox also recently implemented. The resolution of Firefox’s timers will also be reduced to 20µs.

Mozilla added that it will consider reimplementing the SharedArrayBuffer feature after it experiments with ways in which to do that in a safe manner. The organization noted that the high-resolution timers are important for the future of the web platform.


Google Chrome

The Chromium team also made a similar announcement, saying that the next version of Chrome (v64), which should arrive later this month, will disable the SharedArrayBuffer feature by default and modify the behaviour of its performance.now API.

As Chrome has always focused on on a higher-level of process sandboxing compared to other browsers, it seems that Google was already working on a feature, called Site Isolation, that that protect against Meltdown and Spectre on its own. However, users will have to enable it manually at chrome://flags/#enable-site-per-process.Researchers also found earlier this year that Site Isolation is effective against many other types of attacks.

The Chromium team also laid out some mitigations that web developers can also implement on their own sites:

Where possible, prevent cookies from entering the renderer process' memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie.

Don’t serve user-specific or sensitive content from URLs that attackers can predict or easily learn. Attackers can load such URLs in their attack pages (e.g. <img class="lazy" data-src=”https://email.example.com/inbox.json”/>) to get the sensitive information into the process rendering their page, and can then use out-of-bounds reads to discover the information. Use anti-CSRF tokens and SameSite cookies, or random URLs to mitigate this kind of attack.

Make sure your MIME types are correct and specify a nosniff header for any URLs with user-specific or sensitive content, to get the most out of cross-site document blocking for users who have Site Isolation enabled.



Apple Safari

Apple hasn’t released an official statement on how it intends to patch its Safari browser, but it seems that it has already partially patched macOS 10.13.2 against Meltdown. More fixes should be coming soon.

What we're seeing from both the kernel patches as well as the browser patches is that Meltdown and Spectre can only be fixed by incurring at least some performance penalties. To remove these performance penalties, CPU makers will likely have to redesign parts of their CPU architectures in the near future.

Last edited by Zyblin; 01-06-2018 at 01:01 PM. Reason: Added more info and a link
 
Old 01-06-2018, 05:57 AM   #2
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
here is graph of cpu usage after patches :
https://lh6.googleusercontent.com/Mw...ejv9tvVBHfgSKr

here is the story :
https://www.epicgames.com/fortnite/f...ability-update

Last edited by //////; 01-06-2018 at 05:59 AM.
 
Old 01-12-2018, 02:45 PM   #3
geppy
LQ Newbie
 
Registered: Dec 2017
Posts: 15

Rep: Reputation: Disabled
I have seen info on a resource dedicated to assembly language programming (wasm.ru then wasm.ws(maybe) NOW 'wasm.in') regarding speculative execution and cache without #PF(PageFault) about 2-3 years ago. AMD was mentioned on a good side. I think they even refered to some earlier post on another resource.
Somebody decided to disclose this now because corpatate market is having trouble or because with all protection applied this crap is not exactly affective (other ways exist) - i don't know. But if goverment = internet-provider did't have desire to hack you by now then your have beeing safe for a while.
My 2 cents.

Last edited by geppy; 01-12-2018 at 03:20 PM.
 
Old 01-12-2018, 02:55 PM   #4
geppy
LQ Newbie
 
Registered: Dec 2017
Posts: 15

Rep: Reputation: Disabled
If you can't do GPG check:

Run your WebBrowser (that loads evil JavaScript code) on separate computer .
Trasfer = backup files to another computer where you run antivirus software.
From this 2nd computer transfer files to a computer #3 where you open files using a sandbox (yeah after they were check with antivirus).
Run your dedicated E-Mail program on computer #4, because, email soft generally doesn't make use of javascript if configured and doesn't display images.

And remember that same content JavaScript files that you browser always downloads over HTTPS is not safe for most HTTPS sites because with same unchanged content it is possible to recover private key that your browser generates during TLS handshake quickly enough - enough to mess with files that you receive.

Its up to you.

Last edited by geppy; 01-12-2018 at 04:02 PM.
 
Old 01-15-2018, 10:44 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
It may well prove to be the case that users will accept the possibilty of a side-channel attack on the pipelined-execution capabilities of the microprocessor in order to retain the performance that they require. If the CPU doesn't pipeline, it runs very-substantially slower and also generates more heat. It may well prove to be the case that users accept the possibility of such an attack in order to continue getting the work done.
 
Old 02-08-2018, 02:39 PM   #6
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Rep: Reputation: 78
I find it hard to believe that there's no litmus test yet that can report whether one's system is vulnerable to the exploit. From what I've read, a successful attack has in fact been demonstrated on AMD processors. I found some articles on Ars Technica helpful in explaining these exploits to a lay person.

I also saw that there's an ubuntu page dedicated to them which links what appears to be a sort of official page on the exploits.

Has NO ONE released a reputable/reliable script to sniff out one's security status vis-a-vis these exploits? A google search showed this github repo which contains a checker script, but it hardly looks official or reputable. The script itself is a shell script of about 1800 lines.
 
Old 02-09-2018, 06:39 AM   #7
fatmac
LQ Guru
 
Registered: Sep 2011
Location: Upper Hale, Surrey/Hants Border, UK
Distribution: Mainly Devuan with some Tiny Core, Fatdog, Haiku, & BSD thrown in.
Posts: 5,443

Rep: Reputation: Disabled
Likely the safest way to use the internet would be to dedicate an old machine to use online, that will save your good one from attack, but it's not very practical for most people - why did they not use a secure system in the first place(?).

Will people who get attacked be able to get compensation from the chip manufacturers(?).
(After all, they sold defective equipment.)
 
Old 02-17-2018, 09:48 PM   #8
Crippled
Member
 
Registered: Sep 2015
Distribution: MX Linux 21.3 Xfce
Posts: 595

Rep: Reputation: Disabled
Update the kernel to a patched version for your distro. Here is an example that can happen from the Meltdown vulnerability if you don't. https://www.youtube.com/watch?v=DOxBMzSuk4g
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Alert regarding Nividia Drivers from The Hacker News NattyNarwhal Linux - News 2 04-07-2013 12:57 AM
LXer: Hacker testifies News Corp unit hired him LXer Syndicated Linux News 0 04-26-2008 10:10 PM
have you heard the news "Gary McKinnon" an hacker geting 70 years in prison samuelmp General 27 05-14-2006 03:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration